CN111447214B - Method for centralized service of public key and cipher based on fingerprint identification - Google Patents

Method for centralized service of public key and cipher based on fingerprint identification Download PDF

Info

Publication number
CN111447214B
CN111447214B CN202010216292.8A CN202010216292A CN111447214B CN 111447214 B CN111447214 B CN 111447214B CN 202010216292 A CN202010216292 A CN 202010216292A CN 111447214 B CN111447214 B CN 111447214B
Authority
CN
China
Prior art keywords
user
signature
key
certificate
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010216292.8A
Other languages
Chinese (zh)
Other versions
CN111447214A (en
Inventor
赵瑞
甄鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zuojiang Technology Co ltd
Original Assignee
Beijing Zuojiang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zuojiang Technology Co ltd filed Critical Beijing Zuojiang Technology Co ltd
Priority to CN202010216292.8A priority Critical patent/CN111447214B/en
Publication of CN111447214A publication Critical patent/CN111447214A/en
Application granted granted Critical
Publication of CN111447214B publication Critical patent/CN111447214B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for centralized service of public key passwords based on fingerprint identification, which comprises the following steps: when a client is connected with a login service for timing, sending the acquired user fingerprint to the login service for verification after the user fingerprint is protected by a one-time pad algorithm; judging whether the system is logged in for the first time, if so, calling a password service to generate a signature public and private key pair and a signature certificate CSR application file, then submitting the CSR file to a CA (certificate authority) to apply for a signature certificate and an encryption certificate, verifying whether a user import certificate is a valid legal certificate signed and issued to the user by the CA when the CA returns the signature, encryption certificate and encryption private key, decrypting and converting the user public and private key certificate and related files after the verification is passed, and encrypting and storing a PIN code generated by a user fingerprint template in a database; after a user encryption and signature certificate is imported into a client, data encryption and decryption services are performed based on a public key and a private key in the encryption certificate, or signature verification services are performed based on a signature public key and a signature private key.

Description

Method for centralized service of public key and password based on fingerprint identification
Technical Field
The invention relates to a computer security technology, in particular to a public key password centralized service method based on fingerprint identification.
Background
The cryptographic technology is the core technology of information security, and identity authentication, access control, digital signature, information confidentiality and the like are all indiscernible from the cryptographic technology. When the terminal cipher machine or cipher card is adopted at the client, the terminal cipher machine or cipher card is bound with the client computer and generally can not be changed at will. When the USBKey is adopted, a public key algorithm is generally used for digital signature and verification, and a PIN code for protecting a private key needs to be input, so that inconvenience is brought to the use of a user. Moreover, the digital signature of the user is only set with the device for storing the private key and is not combined with the personal identity information of the user, so that the user of the certificate cannot be guaranteed to be the owner of the certificate. As for the system, only the authenticated object is used, the problems of password loss, forgetting, easy attack, USBKey loss and the like are easily caused, and the problems of equipment loss and identity impersonation exist at any time. Other people have the USBKey, and can use the identity of the user to carry out digital signature by cracking the PIN code. When the USBKey is used by a user terminal, encryption protection is generally not carried out on user data, and the main reason is that the symmetric algorithm of the USBKey is low in encryption rate.
Therefore, it is necessary to provide a fingerprint identification device for a user at a client for authenticating the identity of the user, and to integrate cryptographic services such as digital signature and signature verification, data encryption and decryption, etc. into a public key cryptographic server.
In an office network environment, generally, a user needs to log in an office system such as an OA (office automation) system by inputting a password, and the user needs to remember a complex password, such as upper and lower case letters and numbers, and is easy to forget. In practical application, many users adopt fixed and unchangeable easy-to-remember passwords, so that the safety is reduced. Even in the situation of using USBKey, the user often uses the easily memorized PIN code and even the default PIN code which is always set by the factory and never changes. Once the USBKey is lost, the PIN code is easily broken, so that the USBKey serves as the identity login system of a real user, and great security threat is brought. When the client adopts the terminal cipher machine or the cipher card, the terminal cipher machine or the cipher card is bound with the client computer and generally can not be changed at will.
Disclosure of Invention
The present invention is directed to a method for centralized public key cryptography service based on fingerprint identification, which is used to solve the above-mentioned problems of the prior art.
The invention discloses a method for centralized service of public key passwords based on fingerprint identification, which comprises the following steps: performing login authentication, including: when a client is connected with a login service for timing, sending the acquired user fingerprint to the login service for verification after the user fingerprint is protected by a one-time pad algorithm; the login service compares the collected user fingerprint information with user fingerprint information stored in a database server for verification, and if the verification fails, an error message is returned; the login service compares the collected user fingerprint information with user fingerprint information stored in a database server for verification; after the authentication is passed, the login service generates a TOKEN, a password service node is selected for the client, the TOKEN and the IP address and the port number of the password service node are returned to the client, and the TOKEN authentication is carried out when the user accesses the password service; and when the user accesses the password service, the TOKEN authentication is passed; if the login authentication is passed, continuing, otherwise, ending; whether the system is logged in for the first time is judged, if so, a password service is called to generate a signature public and private key pair and a signature certificate CSR application file, then a user submits the CSR file to a CA (certificate authority) to apply for a signature certificate and an encryption certificate, after the CA returns the signature, the encryption certificate and the encryption private key, a CA root certificate is used for verifying whether a user import certificate is a valid legal certificate signed and issued to the user by the CA, after the verification is passed, the user public and private key certificate and related files are decrypted and converted, and PIN codes generated by a user fingerprint template are used for encrypting and storing in a database; after a user encryption and signature certificate is imported into a client, data encryption and decryption services are performed based on a public key and a private key in the encryption certificate, or signature verification services are performed based on a signature public key and a signature private key.
According to an embodiment of the present invention, the protection of the one-time pad algorithm comprises: when logging in, a user inputs a password, a client calculates the user password and time factor data by using an HMAC algorithm to obtain a one-time password as a key of the HMAC algorithm, and the one-time password is used for carrying out transmission protection on fingerprint acquisition information.
According to an embodiment of the method for centralized public key and password service based on fingerprint identification of the present invention, the decryption private key and the signature private key are encrypted and protected by a PIN code generated by hashing the user fingerprint template information; the signature private key and the verification public key certificate are used for carrying out digital signature and signature verification on user data; the user file/data key is used for carrying out symmetric algorithm encryption on files or data requested to be encrypted by a user, the user file/data key is encrypted and protected by the user encryption public key, and the user file/data key is decrypted by the user decryption private key.
According to an embodiment of the fingerprint identification-based public key password centralized service method, each time a user encrypts data, the user firstly calls an initialization interface, a symmetric encryption key is generated according to a symmetric algorithm and a mode, and the user encryption public key is used for encryption protection, so that user files and data are encrypted by one time.
According to an embodiment of the method for centralized service of public key and password based on fingerprint identification of the present invention, a PIN code of a fingerprint template of a user is used as a key to symmetrically encrypt TOKEN plaintext; the client carries the TOKEN to access the password service, the password service provided by the password service is called, the password service searches user information according to the user ID number, the TOKEN is decrypted by using a fingerprint template PIN code, and the clear text of the TOKEN data is verified.
According to an embodiment of the present invention, the method for centralized public key cryptography service based on fingerprint identification comprises: calling a password service interface on a client to generate a signature key pair; calling a password service interface on a client to generate a signature certificate CSR application file; submitting the CSR application file to RA; RA submits CSR application file and user information to CA; the CA acquires user information and a CSR application file and applies for a key from the KMC; the KMC generates a symmetric encryption key and a pair of asymmetric encryption keys, wherein the asymmetric encryption key is an encryption public key and a decryption private key; encrypting the decryption private key using the symmetric encryption key; encrypting the symmetric key using a user-provided authentication public key; the KMC sends the encrypted public key, the encrypted decryption private key and the encrypted symmetric key to the CA; the CA generates a signature certificate according to the user verification public key and the user information; the CA generates an encryption certificate according to the encryption public key and the user information; RA downloads the encrypted certificate, the signature certificate, the encrypted decryption private key, and the encrypted symmetric encryption key; the user downloads the encrypted certificate, the signature certificate, the encrypted decryption private key and the encrypted symmetric encryption key; calling a password service interface on a client, and importing a signature certificate into a password service; the password service verifies the legality and validity period of the signature certificate imported by the user and whether CN is consistent with the ID number of the user; calling a password service interface on the client, and importing the ciphertexts of the encryption certificate and the private key password into the password service; the password service verifies the legality and validity period of the encryption certificate imported by the user and whether CN is consistent with the ID number of the user; the cryptographic service decrypts the encrypted data by using the signature private key to obtain a symmetric encryption key; the cryptographic service decrypts the encrypted data by using the symmetric encryption key to obtain a decryption private key; and symmetrically encrypting and storing the signature private key and the decryption private key of the user in a database by using a PIN code generated by hashing user template information.
According to an embodiment of the method for centralized public key and password service based on fingerprint identification of the present invention, after a user imports an encrypted certificate at a client, an encryption service for performing data encryption and decryption service based on an encrypted public and private key pair includes: inputting a section of data to be encrypted, an algorithm type selected by a user and an encryption mode to a password service; the cryptographic service generates a symmetric encryption key and an initial vector according to an algorithm and a mode selected by a user; using a symmetric encryption key to encrypt user data by a symmetric algorithm, and using a user encryption public key to encrypt the symmetric encryption key; and returning the symmetric encryption key ciphertext and the user data ciphertext to the client.
According to an embodiment of the method for centralized public key and password service based on fingerprint identification of the present invention, after a user imports an encrypted certificate at a client, a decryption service for performing an encryption/decryption service of data based on an encrypted public/private key pair includes: the user transmits a section of information such as a user data ciphertext, a symmetric encryption key ciphertext and the like to the password service; the password service decrypts the user's decryption private key using the user's PIN code; decrypting the symmetric encryption key using the user decryption private key; decrypting the user data ciphertext using the symmetric encryption key; and returning the decrypted user data to the client.
According to an embodiment of the present invention, the method for centralized public key cryptography service based on fingerprint identification, wherein the user digital signature and signature verification comprises: after a user passes fingerprint identity authentication at a client, performing digital signature and signature verification service on data based on a signature public and private key pair; after a user passes fingerprint identity authentication at a client, performing digital signature and signature verification service on data based on a signature public and private key pair; the digital signature process comprises the following steps: the user transmits a piece of data to be signed to the password service; the cipher service sends the signature private key ciphertext and the user data into the cipher card together to perform the following operations: generating a hash value of the user data using a hash algorithm; calculating a signature private key of a PIN (personal identification number) decryption user by using a fingerprint template, and carrying out private key encryption on the hash value by using the signature private key of the user to obtain a signature value; returning the signature value to the client; the label checking process comprises the following steps: sending the ID, the original data and the signature value of the opposite user to a password service; the password service searches the signature certificate of the user according to the ID of the opposite user and verifies the validity of the certificate; extracting a verification public key from the signature certificate; sending the verification public key, the user data and the signature value into the password card together to perform the following operations: carrying out public key decryption on the signature value to obtain a hash value 1; carrying out hash operation on the original data by using a hash algorithm to obtain a hash value 2; compare hash value 1 and hash value 2: if the two are the same, the verification is successful, and if the two are different, the verification fails; and returning the result of successful or failed verification to the client.
According to an embodiment of the method for centralized public key and password service based on fingerprint identification, after a CA signs a signature certificate, an encrypted public and private key pair is generated for a user, the CA refers to a signature CSR file to carry user information and signs an encrypted certificate for the user, the CA generates a random number as a password to protect a private key in the encryption key pair, and then the random number is encrypted by using a public key in the signature CSR file.
Compared with the prior password login technology, the password login method and the password login device avoid the process of inputting the password when the user logs in, and avoid the possibility that the file of the password saved by the user is leaked and the user forgets the password. Meanwhile, because the fingerprint image information of the user is collected and the OTP one-time pad protection is carried out every time, the data transmitted on the network every time are different, and the validity period of single login is also set at the server, thereby avoiding replay attack. Compared with USBKey login, potential safety hazard caused by loss of a user remembering a PIN code and USBKey equipment is avoided; the invention stores the public and private keys of the user in the server side in a centralized way, and the terminal does not need to be configured with a cipher machine or a cipher card, thereby avoiding the possibility of divulging a secret at the client side.
Drawings
FIG. 1 is a schematic diagram of a system for a public key crypto-centralized service based on fingerprinting;
FIG. 2 is a diagram of a public key cryptographic server software framework;
FIG. 3 is a schematic diagram of fingerprint recognition;
FIG. 4 is a diagram illustrating the use of different user keys;
figure 5 shows a flow chart of user fingerprint login authentication.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
Fig. 1 is a schematic diagram of a system for centralized public key cryptography service based on fingerprint identification, and as shown in fig. 1, the system for centralized public key cryptography service based on fingerprint identification is composed of a server subnet and a client subnet. The server subnet mainly comprises a public key password server, a user management client and the like, and the main functions comprise user management client software (comprising functions of user registration management, user fingerprint acquisition and storage and the like), and a password service process (providing service functions of user identity authentication, user digital signature and signature verification, user data encryption and decryption, basic password operation service and the like). The client subnet mainly comprises client software and a fingerprint acquisition instrument, and the main functions comprise fingerprint data acquisition and login verification of a user on site, user certificate application and import, user data encryption, digital signature and verification request and the like.
The local remote client subnet is the same as the local client subnet, and two ends of network transmission are respectively provided with an IPSecVPN device to realize the remote transmission encryption of network data.
Fig. 2 is a diagram showing a software framework of a public key cryptography server, and as shown in fig. 2, the present invention includes two services: one is a global service, which can independently establish connection with a client and process related commands, and comprises the following steps: routeservice and cryptographic service ciperservice; another is an internal service, which does not directly establish a connection with the client, and the command interacting with the client needs to be forwarded by Routeservice, including: logging in services LoginService and ummrservice. These services may be deployed on the same machine or on different machines within a local area network. And after the service is started, automatically connecting the Route service for registration according to the configured Route service address in the configuration file, and updating the information of other service nodes.
As shown in fig. 2, a Routeworker is a service process of Routeservice, and monitors connection requests of other sub-services and clients. After the Service links the RouteWorker, the corresponding node information is registered or updated. After the client is connected with the RouteWorker, the RouteWorker searches the internal service which can be processed according to the command, and forwards the command to the idle internal service.
The loginworker is a service process of a login service and processes fingerprint comparison work when a user logs in.
umgrworker is a business process of Umgrservice, and mainly realizes the functions of registration, deletion, update and query of a user.
The CipherWorker is a business process of a cipher service CipherService, calling of a user to an algorithm engine is achieved, and when the CipherWorker is started, a single channel can be created for each client through a monitoring service port when the client is linked.
Fig. 3 shows a schematic diagram of fingerprint recognition, as shown in fig. 3, including two stages of offline storage and online recognition,
fingerprint verification process: the ID of a person is utilized to extract fingerprint characteristics recorded in advance from a fingerprint library, and then the fingerprint characteristics are compared with fingerprint data acquired on site to prove whether the person is the person to be identified.
The embodiment is developed based on a matched SDK, performs extraction, transmission and storage of fingerprint data, and realizes a function of comparing fingerprint template information acquired and stored by fingerprint based on a dynamic library. When the device initially collects information, the same finger is required to be collected three times, and the fingerprint template information (the length is within 2 KB) of the finger is obtained after data of the three times are integrated.
In order to ensure the security of fingerprint collection data transmission, a One-Time Password is generated by using a Time-base One Time Password (TOTP) technology. The specific process is as follows: before logging in, a client inputs a password with a server, the client calculates the user password and time factor data by using an HMAC algorithm to obtain a one-time password (the user password is used as a key of the HMAC algorithm), and then the one-time password is used for carrying out transmission protection on fingerprint acquisition information.
Fig. 4 is a schematic diagram of a user key structure, and as shown in fig. 4, the key is divided into a user signature public and private key, an encryption public and private key, a user file/data key, and other keys. The user decryption private key and the signature private key are encrypted and protected by a PIN code generated by hashing user fingerprint template information; the user signature private key and the verification public key certificate are used for carrying out digital signature and signature verification on user data; the user file/data key is used for carrying out symmetric algorithm encryption on files or data requested to be encrypted by a user, the user file/data key is encrypted and protected by the user encryption public key, the user file/data key is decrypted by the user decryption private key, and when the user calls the encryption service interface, the server temporarily generates a random number as the user file/data key. When a user encrypts data, the user firstly calls the initialization interface, generates a symmetric encryption key according to a selected symmetric algorithm and mode, and is encrypted and protected by a user encryption public key, so that one-time pad for user file/data encryption is realized.
Fig. 5 is a flowchart illustrating a user fingerprint login verification process, and as shown in fig. 5, the user identity authentication includes:
before using the cryptographic service provided by the public key cryptographic server, the user needs to perform login authentication:
(1) firstly, a client is connected with a login service for timing, and then the client sends a user ID and a collected user fingerprint to the login service for verification after being protected by an OTP (one time pad) algorithm;
(2) the login service LoginService compares the collected user fingerprint information with the user fingerprint information stored in the database server for verification; if the verification fails, an error message is returned, and meanwhile, the same user is limited to try to log in for 5 times within a continuous period of time (such as 2 hours), so that malicious attack is prevented;
(3) the login service LoginService compares the collected user fingerprint information with the user fingerprint information stored in the database server for verification; and after verification is passed, the login service LoginService generates a TOKEN, a password service CipherService node is selected for the client, and then the TOKEN and the information such as the IP address, the port number and the like of the password service CipherService node are returned to the client. When a user accesses the cipher service CipherService, the TOKEN is carried to carry out authentication;
TOKEN generation is as follows: and symmetrically encrypting the TOKEN plaintext (the TOKEN plaintext is a character string containing identification information of the user) by using the PIN code of the user fingerprint template as a key.
(4) For a remote user, a VPN device needs to be used between a remote user subnet and a server subnet for data transmission encryption, so as to ensure the security of data transmission.
TOKEN authentication includes:
the client carries the TOKEN to access the cipher service CipherService and calls the cipher service provided by the cipher service CipherService. The cipher service CipherService searches user information according to the user ID number, decrypts the TOKEN TOKEN by using the fingerprint template PIN code, verifies json data, and can call the cipher service only after the authentication of the TOKEN TOKEN is passed.
The generation and storage of the user public and private key certificate comprise:
when a user accesses the cipher service CipherService and passes the TOKEN authentication, if the user logs in the system for the first time, the user firstly needs to apply and import a signature and an encryption certificate, and then the user can really call the cipher service. The application flow of the user certificate is as follows:
a user calls a cipher service CipherService interface on a client to generate a signature key pair;
a user calls a cipher service CipherService interface on a client to generate a signature certificate CSR application file (in a P10 format);
the user submits the CSR application file to RA;
RA submits CSR application file and user information to CA;
the CA acquires user information and a CSR application file and applies for a key to the KMC;
the KMC generates a symmetric encryption key and a pair of asymmetric encryption keys (an encryption public key and a decryption private key);
encrypting the decryption private key using the symmetric encryption key;
encrypting the symmetric key using a user-provided authentication public key;
the KMC sends the encrypted public key, the encrypted decryption private key and the encrypted symmetric key to the CA;
the CA generates a signature certificate according to the user verification public key and the user information;
the CA generates an encryption certificate according to the encryption public key and the user information;
RA downloads the encrypted certificate, the signature certificate, the encrypted decryption private key and the encrypted symmetric encryption key;
the user downloads the encrypted certificate, the signature certificate, the encrypted decryption private key and the encrypted symmetric encryption key;
a user calls a cipher service CipherService interface on a client and introduces a signature certificate into the cipher service CipherService;
the cipher service CipherService verifies the legality (whether the system CA issues) and the validity period of the signature certificate imported by the user and whether the CN is consistent with the ID number of the user identity;
a user calls a CipherService interface on a client and introduces ciphertexts of the encryption certificate and the private key password into the CipherService;
the cipher service CipherService verifies the legality (whether the system CA issues) and the validity period of the encryption certificate imported by the user and whether the CN is consistent with the ID number of the user;
the cipher service CipherService uses the signature private key to decrypt and obtain a symmetric encryption key;
the cipher service CipherService uses the symmetric encryption key to decrypt to obtain a decryption private key;
and symmetrically encrypting and storing the signature private key and the decryption private key of the user in a database by using a PIN code generated by hashing user template information.
The user data encryption and decryption comprises;
after the user imports the encrypted certificate at the client, the data can be encrypted and decrypted based on the encrypted public and private key pair.
The encryption process is as follows:
a user inputs a section of data to be encrypted, an algorithm type selected by the user and an encryption mode to a cipher service CipherService;
the cipher service CipherService generates a symmetric encryption key and an initial vector IV according to an algorithm and a mode selected by a user; using a symmetric encryption key to encrypt user data by a symmetric algorithm, and using a user encryption public key to encrypt the symmetric encryption key;
and returning the symmetric encryption key ciphertext and the user data ciphertext to the client.
The decryption process is as follows:
a user transmits a section of information such as a user data ciphertext, a symmetric encryption key ciphertext and the like to a cipher service CipherService;
the cipher service CipherService uses the PIN code of the user to decrypt the decryption private key of the user; decrypting the symmetric encryption key using the user decryption private key; decrypting the user data ciphertext using the symmetric encryption key;
and returning the decrypted user data to the client.
The user digital signature and verification comprises the following steps:
after the user passes the fingerprint identity authentication at the client, the digital signature and signature verification service of data can be carried out based on the signature public and private key pair.
The digital signature process is as follows:
a user transmits a piece of data to be signed to a cipher service CipherService;
the cipher service CipherService sends the signature private key ciphertext and the user data into the cipher card together to perform the following operations: generating a hash value of the user data using a hash algorithm; calculating a signature private key of a PIN (personal identification number) code decryption user by using a fingerprint template, and carrying out private key encryption (namely digital signature) on the hash value by using the signature private key of the user to obtain a signature value; returning the signature value to the client;
the verification process is as follows:
sending the ID, the original data and the signature value of the opposite user to a cipher service CipherService;
the cipher service CipherService searches a signature certificate of the user according to the ID of the opposite user, and verifies the validity of the certificate (whether the certificate is issued by CA or not and whether the certificate is in the validity period or not); extracting a verification public key from the signature certificate; sending the verification public key, the user data and the signature value into the password card together to perform the following operations: carrying out public key decryption (namely signature verification) on the signature value to obtain a hash value 1; carrying out hash operation on the original data by using a hash algorithm to obtain a hash value 2; compare hash value 1 and hash value 2: if the two are the same, the verification is successful, and if the two are different, the verification fails; and returning the result of successful or failed verification to the client.
The invention discloses a method for public key password centralized service based on fingerprint identification, which is based on a public key password centralized service mechanism of fingerprint, in an environment with a network transmission encryption function, a user implements identity authentication of the user and obtains the use right of a user private key on a public key password server through fingerprint identification equipment on a client side, and the public key password server can provide password services such as digital signature and verification, user data encryption and decryption and the like for the users.
The present invention can be used in two aspects: firstly, in a cloud computing mode environment, data and computing of a user are not stored and operated locally but delivered to a cloud server for storage, operation and resource sharing, and data security and privacy problems become important obstacles for cloud computing development. The identity authentication is carried out by adopting a fingerprint identification technology, and the security of a user accessing the cloud is ensured by utilizing the advantages of uniqueness, invariance, difficulty in losing, forgetting or being forged and the like of fingerprint characteristics. Meanwhile, in the communication between the user side and the cloud side, an IPSec VPN or SSL protocol is adopted, and the data security in the network maturation process is further ensured. On the basis, public key cryptographic services such as digital signature and verification, user data encryption and decryption and the like are provided for the user, and the personal data of the user is encrypted and stored, so that the privacy of the user is ensured. With the continuous development of fingerprint identification technology and the continuous decline of hardware cost, public key cryptography service technology based on fingerprint identification must obtain wider application to further recommend the development of cloud computing industry.
Secondly, under the client/server computing mode, the network comprising a plurality of subnets generally adopts network transmission encryption measures among the subnets, so that the confidentiality of data remote transmission can be ensured. But cannot protect the user's personal data and private information. The invention binds the user and the certificate thereof together through fingerprint identification, and ensures that the user uses the own digital certificate (and the private key) to carry out digital signature and encryption protection on the data of the user on the basis. With the attention of people on personal privacy information protection and personal data protection, the public key cryptographic service technology based on fingerprint identification is applied and developed.
When a user registers, the collected user fingerprint is encrypted and protected and then stored in the database, so that the possibility of leakage of the plaintext data of the user fingerprint is prevented; when a user logs in, the acquired user fingerprint is transmitted to the background server after OTP one-time pad protection, so that the possibility of data leakage in the network communication process is prevented; the invention stores the public and private keys of the user in the server end in a centralized way, and the terminal can provide public key and password service for the user without configuring a password machine or a password card.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, it is possible to make various improvements and modifications without departing from the technical principle of the present invention, and those improvements and modifications should be considered as the protection scope of the present invention.

Claims (7)

1. A method for centralized service of public key cryptography based on fingerprint identification is characterized by comprising the following steps:
performing login authentication, including:
when a client is connected with a login service for timing, sending the acquired user fingerprint to the login service for verification after the user fingerprint is protected by a one-time pad algorithm;
the login service compares the collected user fingerprint information with the user fingerprint information stored in the database server for verification, and if the verification fails, an error message is returned;
the login service compares the collected user fingerprint information with user fingerprint information stored in a database server for verification; after the authentication is passed, the login service generates a TOKEN, a password service node is selected for the client, the TOKEN and the IP address and the port number of the password service node are returned to the client, and the TOKEN authentication is carried out when the user accesses the password service; and
when the user accesses the password service, the password service passes the TOKEN authentication; if the login authentication is passed, continuing, otherwise, ending; and
judging whether the system is logged in for the first time, if so, calling a password service to generate a signature public and private key pair and a signature certificate CSR application file, then submitting the CSR file to a CA (certificate authority) to apply for a signature certificate and an encryption certificate, verifying whether a user import certificate is a valid legal certificate signed and issued to the user by the CA when the CA returns the signature, encryption certificate and encryption private key, decrypting and converting the user public and private key certificate and related files after the verification is passed, and encrypting and storing a PIN code generated by a user fingerprint template in a database;
after a user encryption and signature certificate is imported into a client, data encryption and decryption services are carried out based on a public key and a private key in the encryption certificate, or signature verification services are carried out based on the signature public key and the private key;
the one-time pad algorithm protection comprises the following steps: when logging in, a user inputs a password, a client calculates the user password and time factor data by using an HMAC algorithm to obtain a one-time password as a key of the HMAC algorithm, and the one-time password is used for carrying out transmission protection on fingerprint acquisition information;
the decryption private key and the signature private key are encrypted and protected by a PIN code generated by hashing user fingerprint template information; the signature private key and the verification public key certificate are used for carrying out digital signature and signature verification on the user data; the user file/data key is used for carrying out symmetric algorithm encryption on files or data requested to be encrypted by a user, the user file/data key is encrypted and protected by the user encryption public key, and the user file/data key is decrypted by the user decryption private key;
the application process of each user certificate comprises the following steps:
calling a password service interface on a client to generate a signature key pair;
calling a password service interface on a client to generate a signature certificate CSR application file;
submitting the CSR application file to RA;
RA submits CSR application file and user information to CA;
the CA acquires user information and a CSR application file and applies for a key from the KMC;
the KMC generates a symmetric encryption key and a pair of asymmetric encryption keys, wherein the asymmetric encryption key is an encryption public key and a decryption private key;
encrypting the decryption private key using the symmetric encryption key;
encrypting the symmetric key using a user-provided authentication public key;
the KMC sends the encrypted public key, the encrypted decryption private key and the encrypted symmetric key to the CA;
the CA generates a signature certificate according to the user verification public key and the user information;
the CA generates an encryption certificate according to the encryption public key and the user information;
RA downloads the encrypted certificate, the signature certificate, the encrypted decryption private key, and the encrypted symmetric encryption key;
the user downloads the encrypted certificate, the signature certificate, the encrypted decryption private key and the encrypted symmetric encryption key;
calling a password service interface on a client, and importing a signature certificate into a password service;
the password service verifies the legality and validity period of the signature certificate imported by the user and whether CN is consistent with the ID number of the user;
calling a password service interface on the client, and importing the ciphertexts of the encryption certificate and the private key password into the password service;
the password service verifies the legality and validity period of the encryption certificate imported by the user and whether CN is consistent with the ID number of the user;
the cryptographic service decrypts the encrypted data by using the signature private key to obtain a symmetric encryption key;
the cryptographic service decrypts the encrypted data using the symmetric encryption key to obtain a decrypted private key;
and symmetrically encrypting and storing the signature private key and the decryption private key of the user in a database by using a PIN code generated by hashing user template information.
2. The method as claimed in claim 1, wherein each time a user encrypts data, the user first calls the initialization interface to generate a symmetric encryption key according to a symmetric algorithm and mode, and the user encrypts the public key to protect the user file and the data with one-time encryption.
3. The method for centralized services of public key cryptography based on fingerprint identification according to claim 1, wherein TOKEN plaintext is symmetrically encrypted using a user fingerprint template PIN code as a key;
the client carries the TOKEN to access the password service, the password service provided by the password service is called, the password service searches user information according to the user ID number, the TOKEN is decrypted by using a fingerprint template PIN code, and the clear text of the TOKEN data is verified.
4. The method for performing public key crypto-centralized service based on fingerprint recognition as claimed in claim 1, wherein the encryption service for performing encryption and decryption service of data based on the encrypted public and private key pair comprises, after the user imports the encrypted certificate at the client:
inputting a section of data to be encrypted, an algorithm type selected by a user and an encryption mode to a password service;
the cryptographic service generates a symmetric encryption key and an initial vector according to an algorithm and a mode selected by a user; using a symmetric encryption key to encrypt user data by a symmetric algorithm, and using a user encryption public key to encrypt the symmetric encryption key;
and returning the symmetric encryption key ciphertext and the user data ciphertext to the client.
5. The method for centralized services of public key and password based on fingerprint identification as claimed in claim 1, wherein after the user imports the encrypted certificate at the client, the decryption service for performing the encryption and decryption service of the data based on the encrypted public and private key pair is as follows:
the user transmits a section of information such as a user data ciphertext, a symmetric encryption key ciphertext and the like to the password service;
the password service decrypts the user's decryption private key using the user's PIN code; decrypting the symmetric encryption key using the user decryption private key; decrypting the user data ciphertext using the symmetric encryption key;
and returning the decrypted user data to the client.
6. The method for a public key crypto-graphic centralized service based on fingerprint recognition of claim 1, wherein the user digital signature and verification comprises:
after a user passes fingerprint identity authentication at a client, performing digital signature and signature verification service on data based on a signature public and private key pair;
after a user passes fingerprint identity authentication at a client, performing digital signature and signature verification service on data based on a signature public and private key pair;
the digital signature process comprises the following steps:
the user transmits a piece of data to be signed to the password service;
the cipher service sends the signature private key ciphertext and the user data into the cipher card together to perform the following operations: generating a hash value of the user data using a hash algorithm; calculating a PIN code by using a fingerprint template to decrypt a signature private key of a user, and carrying out private key encryption on the hash value by using the signature private key of the user to obtain a signature value; returning the signature value to the client;
the label checking process comprises the following steps:
sending the ID, the original data and the signature value of the opposite user to a password service;
the password service searches the signature certificate of the user according to the ID of the opposite user and verifies the validity of the certificate; extracting a verification public key from the signature certificate; sending the verification public key, the user data and the signature value into the password card together to perform the following operations: carrying out public key decryption on the signature value to obtain a hash value 1; carrying out hash operation on the original data by using a hash algorithm to obtain a hash value 2; compare hash value 1 and hash value 2: if the two are the same, the verification is successful, and if the two are different, the verification fails; and returning the result of successful or failed verification to the client.
7. The method of claim 1, wherein after the CA issues the signature certificate, an encrypted public and private key pair is generated for the user, the CA signs the encrypted certificate for the user with reference to the CSR file carrying user information, the CA generates a random number as a password to protect a private key in the encrypted key pair, and then encrypts the random number with the public key in the CSR file.
CN202010216292.8A 2020-03-25 2020-03-25 Method for centralized service of public key and cipher based on fingerprint identification Active CN111447214B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010216292.8A CN111447214B (en) 2020-03-25 2020-03-25 Method for centralized service of public key and cipher based on fingerprint identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010216292.8A CN111447214B (en) 2020-03-25 2020-03-25 Method for centralized service of public key and cipher based on fingerprint identification

Publications (2)

Publication Number Publication Date
CN111447214A CN111447214A (en) 2020-07-24
CN111447214B true CN111447214B (en) 2022-07-05

Family

ID=71650748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010216292.8A Active CN111447214B (en) 2020-03-25 2020-03-25 Method for centralized service of public key and cipher based on fingerprint identification

Country Status (1)

Country Link
CN (1) CN111447214B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069517B (en) * 2020-08-25 2023-07-04 建信金融科技有限责任公司 Method and device for managing user rights
CN112311531B (en) * 2020-11-05 2023-05-30 重庆邮电大学 Controllable front-end and back-end secure communication method
CN112528816B (en) * 2020-12-04 2024-04-05 北京百汇安科技有限公司 Face recognition system based on PKI system
CN113163396B (en) * 2021-03-23 2022-11-08 傲普(上海)新能源有限公司 Data security system in B/S architecture-based energy management system
CN112989309B (en) * 2021-05-21 2021-08-20 统信软件技术有限公司 Login method, authentication method and system based on multi-party authorization and computing equipment
CN113472783B (en) * 2021-06-30 2023-04-07 杭州云象网络技术有限公司 Block chain cipher certificate service method, system, storage medium and device
CN113487783B (en) * 2021-07-06 2022-04-15 西北工业大学 Method for realizing access control system control based on biological feature recognition function of smart phone
CN113630412B (en) * 2021-08-05 2023-06-30 百度在线网络技术(北京)有限公司 Resource downloading method, resource downloading device, electronic equipment and storage medium
CN114301597B (en) * 2021-12-13 2024-02-09 零信技术(深圳)有限公司 Key verification method, device and readable storage medium
CN114499871B (en) * 2021-12-23 2024-01-09 成都卫士通信息产业股份有限公司 Signature encryption method, device and system and computer readable storage medium
CN114900338B (en) * 2022-04-20 2023-07-21 岚图汽车科技有限公司 Encryption and decryption method, device, equipment and medium
CN117118759B (en) * 2023-10-24 2024-01-30 四川省数字证书认证管理中心有限公司 Method for reliable use of user control server terminal key

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4806847B2 (en) * 2000-12-26 2011-11-02 ソニー株式会社 Information processing system, information processing method, information recording medium, and program recording medium
CN102299793A (en) * 2010-06-22 2011-12-28 清大安科(北京)科技有限公司 Certificate authentication system based on trusted computing password support platform
CN103490892B (en) * 2013-08-28 2017-06-13 数安时代科技股份有限公司 Digital signature method and system, application server and cloud cipher server
CN203968128U (en) * 2013-12-25 2014-11-26 远光软件股份有限公司 Dynamic cipher token apparatus and dynamic password token system
CN104917727B (en) * 2014-03-12 2019-03-01 中国移动通信集团福建有限公司 A kind of method, system and device of account's authentication
CN108737376A (en) * 2018-04-16 2018-11-02 北京明朝万达科技股份有限公司 A kind of double factor authentication method and system based on fingerprint and digital certificate

Also Published As

Publication number Publication date
CN111447214A (en) 2020-07-24

Similar Documents

Publication Publication Date Title
CN111447214B (en) Method for centralized service of public key and cipher based on fingerprint identification
US9330245B2 (en) Cloud-based data backup and sync with secure local storage of access keys
US7698565B1 (en) Crypto-proxy server and method of using the same
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
CN1885771B (en) Method and apparatus for establishing a secure communication session
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
EP2544117A1 (en) Method and system for sharing or storing personal data without loss of privacy
US20030196084A1 (en) System and method for secure wireless communications using PKI
CN107733933B (en) Method and system for double-factor identity authentication based on biological recognition technology
US10250589B2 (en) System and method for protecting access to authentication systems
CN104270338A (en) A method and system of electronic identity registration and authentication login
EP1442555A2 (en) Multi-factor authentication system
CN108809633B (en) Identity authentication method, device and system
CN111512608A (en) Trusted execution environment based authentication protocol
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
EP2414983B1 (en) Secure Data System
CN100514333C (en) Data base safety access method and system
US11743053B2 (en) Electronic signature system and tamper-resistant device
WO2014183671A1 (en) Safety control method for cloud storage
CN114513339A (en) Security authentication method, system and device
CN107104792B (en) Portable mobile password management system and management method thereof
RU2698424C1 (en) Authorization control method
JP4372403B2 (en) Authentication system
Kim et al. A secure channel establishment method on a hardware security module
JP2000224162A (en) Client authentication method using irreversible function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant